Skip to content

Add authorization logging across requests #12255

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 4, 2025
Merged

Add authorization logging across requests #12255

merged 1 commit into from
Nov 4, 2025

Conversation

@walterhpearce
Copy link
Contributor

@walterhpearce walterhpearce commented Oct 31, 2025

This adds:

  • Masked (SHA256 hashed) logging of Authorization header
  • Masked (SHA256 hashed) logging of Cookie header
  • new custom_metadata.auth_type log entry for the authorization type, being: trustpub, cookie, token

Using a masked version of the authorization or cookie headers across the logs, we can specifically look for cases of tokens used across requests. This can let us detect cases such as: someone attempting tokens/cookies across multiple users, a token used across various crates, or cookie theft across users.

This came up when responding to the recent phishing incidents, where I wanted to quickly investigate, via logs, actions conducted across users and crates with specific tokens, or correlate past vs. future actions of a given user matching on token/cookie and not specifically just IP/user.

Turbo87
Turbo87 approved these changes Nov 3, 2025
View reviewed changes
@Turbo87 Turbo87 added the C-internal 🔧 Category: Nonessential work that would make the codebase more consistent or clear label Nov 3, 2025
@walterhpearce
Copy link
Contributor Author

walterhpearce commented Nov 3, 2025

Applied your naming change, works for me. I don't really care at all, so whatever makes the most sense from your perspective.

@walterhpearce @Turbo87
Add logging of hashed authorization information
a786afd 
... for cross-checking usage of compromised keys.

Specifically, adds a `custom_metadata.auth_type` value, specifying the authentication type used for actions. Additionally, adds `http.request.headers.hashed_authorization` and `http.request.headers.hashed_cookie` for logging SHA256 hashed copies of the authorization and/or cookie headers used in the request.
@Turbo87 Turbo87 enabled auto-merge (squash) November 4, 2025 11:29
@Turbo87 Turbo87 merged commit f3616f2 into rust-lang:main Nov 4, 2025
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Turbo87 Turbo87 Turbo87 approved these changes

Assignees

No one assigned

Labels

A-backend ⚙️ C-internal 🔧 Category: Nonessential work that would make the codebase more consistent or clear

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@walterhpearce @Turbo87 @rustbot